CVE-2026-30840
Server-Side Request Forgery in Wallos Notification Tester
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wallosapp | wallos | to 4.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30840 is a high-severity Server-Side Request Forgery (SSRF) vulnerability found in the notification testing endpoints of the Wallos application prior to version 4.6.2.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because several endpoints accept arbitrary URLs and perform server-side HTTP requests without properly validating or restricting requests to private, reserved, or loopback IP addresses.'}, {'type': 'list_item', 'content': 'Affected endpoints include testwebhooknotifications.php, testgotifynotifications.php, testntfynotifications.php, and savewebhooknotifications.php.'}, {'type': 'list_item', 'content': 'An authenticated user with a valid CSRF token can exploit this without needing admin privileges.'}, {'type': 'paragraph', 'content': 'The root cause is insufficient validation of URLs, allowing requests to internal network services, including localhost and cloud metadata endpoints, and the use of an "ignore_ssl" flag disables TLS certificate verification, increasing risk.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts on the confidentiality, integrity, and availability of your internal network and services.
- Attackers can make the server perform unauthorized HTTP requests to internal services, potentially accessing sensitive internal resources or admin panels.
- It enables internal network scanning and interaction, which can lead to lateral movement within the network.
- The disabled TLS certificate verification can allow interception or manipulation of traffic.
- Persistent SSRF attacks are possible by saving malicious URLs that the server later accesses automatically.
Overall, exploitation could lead to data exfiltration, unauthorized access, and disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SSRF vulnerability can be detected by monitoring and testing the notification tester endpoints of the Wallos application, specifically testwebhooknotifications.php, testgotifynotifications.php, testntfynotifications.php, and savewebhooknotifications.php.
Detection involves sending authenticated requests with valid CSRF tokens to these endpoints with URLs pointing to internal or localhost IP addresses (e.g., 127.0.0.1:8080) and observing if the server performs the HTTP requests.
A practical approach is to run a local HTTP server on the target machine (e.g., on 127.0.0.1:8080) and then use curl or similar tools to send requests to the vulnerable endpoints with payload URLs targeting this local server.
- Run a local HTTP server: python3 -m http.server 8080
- Use curl to send an authenticated POST request with a valid CSRF token to testwebhooknotifications.php with a URL parameter pointing to http://127.0.0.1:8080
- Check server logs or the local HTTP server logs to confirm if the request was made, indicating SSRF vulnerability.
Note that authentication and a valid CSRF token are required to perform these tests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Wallos application to version 4.6.2 or later, where this SSRF vulnerability has been patched.
If upgrading is not immediately possible, apply the following measures:
- Implement strict validation to reject URLs that resolve to private, reserved, or loopback IP addresses such as 127.0.0.1, 10.0.0.0/8, and 169.254.0.0/16.
- Disallow URLs containing localhost, loopback, and link-local addresses in the notification tester endpoints.
- Remove or restrict the βignore_sslβ option to enforce proper TLS certificate validation.
- Consider allowlisting trusted external notification hosts or require administrative approval for arbitrary URLs.
- Log and rate-limit tester requests and consider isolating testing functionality in a separate environment.